Logical Methods in Computer Science 
Vol. 6 (4:2) 2010, pp. 1-39 
www.lmcs-online.org 



Submitted Sep. 17, 2010 
Published Oct. 20, 2010 



A MODEL OF COOPERATIVE THREADS* 



MARTIN ABADI° AND GORDON D. PLOTKIN'' 



" Microsoft Research, Silicon Valley; University of California, Santa Cruz 
e-mail address: abadi@microsoft.com 

* Microsoft Research, Silicon Valley; LFCS, University of Edinburgh 
e-mail address: gdp@infed.ac.uk 



Abstract. We develop a model of concurrent imperative programming with threads. We 
focus on a small imperative language with cooperative threads which execute without inter- 
ruption until they terminate or explicitly yield control. We define and study a trace-based 
denotational semantics for this language; this semantics is fully abstract but mathemat- 
ically elementary. We also give an equational theory for the computational effects that 
underlie the language, including thread spawning. We then analyze threads in terms of 
the free algebra monad for this theory. 



In the realm of sequential programming, semantics, whether operational or denota- 
tional, provides a rich understanding of programming constructs and languages, and serves 
a broad range of purposes. These include, for instance, the study of verification techniques 
and the reconciliation of effects with functional programming via monads. With notorious 
difficulties, these two styles of semantics have been explored for concurrent programming, 
and, by now, a substantial body of work provides various semantic accounts of concurrency. 
Typically, that work develops semantics for languages with parallel-composition constructs 
and various communication mechanisms. 

Surprisingly, however, that work provides only a limited understanding of threads. It 
includes several operational semantics of languages with threads, sometimes with opera- 
tional notions of equivalence, e.g., |BMT92t IPR971 IJef971 IJR05) : denotational semantics of 
those languages seem to be much rarer, and to address message passing rather than shared- 
memory concurrency, e.g., [FH991 Def95| . Yet threads are in widespread use, often in the 
context of elaborate shared-memory systems and languages for which a clear semantics 
would be beneficial. 

In this paper, we investigate a model of concurrent imperative programming with 
threads. We focus on cooperative threads which execute, without interruption, until they 
either terminate or else explicitly yield control. Non-cooperative threads, that is, threads 
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with preemptive scheduling, can be seen as threads that yield control at every step. In this 
sense, they are a special case of the cooperative threads that we study. 

Cooperative threads appear in several systems, programming models, and languages. 
Often without much linguistic support, they have a long history in operating systems and 
databases, e.g., |SQL07| . Cooperative threads also arise in other contexts, such as Inter- 
net services and synchronous programming |AHT021 IBCZOSj IBou06[ IBou071 IAZ06j . Most 
recently, cooperative threads are central in two models for programming with transac- 
tions. Automatic Mutual Exclusion (AME) and Transactions with Isolation and Coopera- 
tion (TIC) |IB07l ISKB07j . AME is one of the main starting points for our research. The 
intended implementations of AME rely on software transactional memory |ST95| for execut- 
ing multiple cooperative threads simultaneously. However, concurrent transactions do not 
appear in the high-level operational semantics of the AME constructs [ ABH0 8] . Thus, co- 
operative threads and their semantics are of interest independently of the details of possible 
transactional implementations. 

We define and study three semantics for an imperative language with primitives for 
spawning threads, yielding control, and blocking execution. 

• We obtain an operational semantics by a straightforward adaptation of previous work. 
In this semantics, we describe the meaning of a whole program in terms of small-step 
transitions between states in which spawned threads are kept in a thread pool. This 
semantics serves as a reference point. 

• We also define a more challenging compositional denotational semantics. The meaning 
of a command is a prefix-closed set of traces. Prefix-closure arises because we are pri- 
marily interested in safety properties, that is, in "may" semantics. Each trace is roughly 
a sequence of transitions, where each transition is a pair of stores, and a store is a map- 
ping from variables to values. We establish adequacy and full-abstraction theorems with 
respect to the operational semantics. These results require several non-trivial choices in 
the definition of the denotational semantics. 

• Finally, we define a semantics based on the algebraic theory of effects. More precisely, we 
give an equational theory for the computational effects that underlie the language, and 
analyze threads in terms of the free algebra monad for this theory. This definition is more 
principled and systematic; it explains threads with standard semantic structures, in the 
context of functional programming. As we show, furthermore, we obtain our denotational 
semantics as a special case. 

Section [2] introduces our language and Section [3] defines its operational semantics. Section^ 
develops its denotational semantics. Section [5] presents our adequacy and full-abstraction 
theorems (Theorems 15.101 and I5.15P . Section [6] concerns the algebraic theory of effects and 
the analysis of the denotational semantics in this monadic setting (Theorem 16. 4p . Section [7| 
concludes. 

2. The Language 

Our language is an extension of a basic imperative language with assignments, sequenc- 
ing, conditionals, and while loops (IMP [Win93] ) . Programs are written in terms of a finite 
set of variables Vars, whose values are natural numbers. In addition to those standard 
constructs, our language includes: 
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skip 

X := e (x € Vars) 
C;D 

if b then C else D 
while 6 do C 
async C 
yield 
block 

Figure 1: Syntax. 



• A construct for executing a command in an asynchronous thread. Informally, async C 
forks off the execution of C. This execution is asynchronous, and will not happen if the 
present thread keeps running without ever yielding control, or if the present thread blocks 
without first yielding control. 

• A construct for yielding control. Informally, yield indicates that any pending thread 
may execute next, as may the current thread. 

• A construct for blocking. Informally, block halts the execution of the entire program, 
even if there are pending threads that could otherwise make progress. 

We define the syntax of the language in Figure [TJ We do not detail the constructs on 
numerical and boolean expressions, which are as usual. 

Figure [2] gives an illustrative example. It shows a piece of code that spawns the asyn- 
chronous execution of x := 0, then executes x := 1 and yields, then resumes but blocks 
unless the predicate x = holds, then executes x := 2. The execution of a; := may hap- 



async x := 0; 
X := 1; 
yield; 

if X = then skip else block; 
x:=2 

Figure 2: Example command. 



pen once the yield statement is reached. With respect to safety properties, the conditional 
blocking amounts to waiting for x = to hold. More generally, AME's blockUntil b can 
be written if b then skip else block. 

More elaborate uses of blocking are possible too, and supported by lower-level seman- 
tics and actual transactional implementations [ IB07t E.BH08j . In those implementations, 
blocking may cause a roll-back and a later retry at an appropriate time. We regard roll-back 
as an interesting aspect of some possible implementations, but not as part of the high-level 
semantics of our language, which is the subject of this work. 



b e BExp = 
e € NExp = 
C,D e Com = 
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Figure 3: State space. 



Thus, our language is basically a fragment of the AME calculus [ABH08] . It omits 
higher-order functions and references. It also omits "unprotected sections" for non-cooper- 
ative code, particularly legacy code. Non-cooperative code can however be modeled as code 
with pervasive calls to yield (at least with respect to the simple, strong memory models 
that we use throughout this paper; cf. [GMP06j ). See Section [7] for further discussion of 
possible extensions to our language. 

3. Operational Semantics 

We give an operational semantics for our language. Despite some subtleties, this se- 
mantics is not meant to be challenging. It is given in terms of small-step transitions between 
states. Accordingly, we define states, evaluation contexts, and the transition relation. 

3.1. States. As described in Figure El a state T = {a,T,C) consists of the following com- 
ponents: 

• a store a which is a mapping of the given finite set Vars of variables to a set Value of 
values, which we take to be the set of natural numbers; 

• a finite sequence of commands T which we call the thread pool; 

• a distinguished active command C. 

We write a[x n] for the store that agrees with a except at x, which is mapped to n. We 
write a{b) for the boolean denoted by b in a, and a{e) for the natural number denoted by 
e in a, similarly. We write T.T' for the concatenation of two thread pools T and T'. 

3.2. Evaluation Contexts. As usual, a context is an expression with a hole [ ], and an 
evaluation context is a context of a particular kind. Given a context C and an expression 
C, we write C[C] for the result of placing C in the hole in C. We use the evaluation contexts 
defined by the grammar: 

£ = []\ £;C 
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{a,T,8[x := e]) 

{a, T, <5[skip; C]) 

{a,T,£[if b then C else D]) 

(cr,r,£:[if b then C else D]) 

(cr,r,£:[while b do C]) 

{a, T, iS[async C]) 

{a,T, £[y±eld]) 

{a, T.C.T', skip) 



((T[a; i-> n], T, £'[skip]) (if a{e) = n) 

{a,T,£[C]) 

{a,T,£[C]) (if a{b) = true) 

{a,T,£[D]) (if a{b) = false) 

(o", T, £[if b then (C; while b do C) else skip]) 
{a, T.C,^ [skip]) 
{a, T.f [skip], skip) 
{a, T.T',C) 



Figure 4: Transition rules of the abstract machine. 



3.3. Steps. A transition T — > V takes an execution from one state to the next. Figured] 
gives rules that specify the transition relation. According to these rules, when the active 
command is skip, a command from the pool becomes the active command. It is then eval- 
uated as such until it produces skip, yields, or blocks. No other computation is interleaved 
with this evaluation. Each evaluation step produces a new state, determined by decompos- 
ing the active command into an evaluation context and a subexpression that describes a 
computation step (for instance, a yield or a conditional). 

In all cases at most one rule applies. In two cases, no rule applies. The first is when 
the active command is skip and the pool is empty; this situation corresponds to normal 
termination. The second is when the active command is blocked, in the sense that it has 
the form £^ [block]; this situation is an abnormal termination. 

We write T — >c^' when F — >T' via the last rule, and call this a choice transition. We 
write F — >a F' when F — > F' via the other rules, and call this an active transition. Active 
transitions are deterministic, i.e., if F — >a F' and F — >a T" then F' = F". 



4. Denotational Semantics 

Next we give a compositional denotational semantics for the same language. Here, the 
meaning of a command is a prefix-closed set of traces, where each trace is roughly a sequence 
of transitions, and each transition is a pair of stores. 

The use of sequences of transitions goes back at least to Abrahamson's work [Abr79] 
and appears in various studies of parallel composition |AP93[ IHdeBE,94[ IBro96[ IBron2j . 
However, the treatment of threads requires some new non-trivial choices. For instance, 
transition sequences, as we define them, include markers to indicate not only normal termi- 
nation but also the return of the main thread of control. Moreover, although these markers 
are similar, they are attached to traces in different ways, one inside pairs of stores, the other 
not. Such details are crucial for adequacy and full abstraction. 
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Also crucial to full abstraction is minimizing the information that the semantics records. 
More explicit semantics will typically be more transparent, for instance, in detailing that 
a particular step in a computation causes the spawning of a thread, but will consequently 
fail to be fully abstract. 

Section 14.11 is an informal introduction to some of the details of the semantics. Sec- 
tion 14.21 defines transition sequences and establishes some notation. Sections 14.31 and 14.41 
define the interpretations of commands and thread pools, respectively. Section H3] discusses 
semantic equivalences. 

4.1. Informal Introduction. As indicated above, the meaning of a command will be a 
prefix-closed set of traces, where each trace is roughly a sequence of transitions, and each 
transition is a pair of stores. Safety properties — which pertain to what "may" happen — are 
closed under prefixing, hence the prefix-closure condition. Intuitively, when the meaning 
of a command includes a trace (di, cr^)((T2, . . ., we intend that the command may start 
executing with store ui, transform it to a[, yield, then resume with store a2, transform it 
to (T2, yield again, and so on. 

In particular, the meaning of block will consist of the empty sequence e. The meaning 
of yield; block will consist of the empty sequence e plus every sequence of the form (cr, o"), 
where a is any store. Here, the pair (cr, a) is a "stutter" that represents immediate yielding. 

If the meaning of a command C includes (cti,ct^) . . . ((Tn,(T^) and the meaning of a 
command D includes . . . {am,cr'^), one might naively expect that the meaning of 

C;D would contain {ai,a'i) . . . {an,cr'^) . . . {am,cr'^), which is obtained by concatenation 
plus a simple local composition between ((T„,(t(^) and (ct(j,(T^). Unfortunately, this naive 
expectation is incorrect. In a trace {ai,a[){a2,cr2) • • •, some of the pairs may represent steps 
taken by commands to be executed asynchronously. Those steps need not take place before 
any further command D starts to execute. 

Accordingly, computing the meaning of C;D requires shuffling sufflxes of traces in C 
with traces in D. The shuffling represents the interleaving of C's asynchronous work with 
D's work. We introduce a special return marker "Ret" in order to indicate how the traces in 
C should be parsed for this composition. In particular, when C is of the form Ci; async (C2), 
any occurrence of "Ret" in the meaning of C2 will not appear in the meaning of C. The 
application of async erases any occurrence of "Ret" from the meaning of C2 — intuitively, 
because C2 does not return control to its sequential context. 

For example, the meaning of the command 

X := n; yield; x := n' 

will contain the trace 

{a,a[x I-)- n]){a',a'[x n'] Ret) 
for every a and a' . On the other hand, the meaning of the command 

X := n; async {x := n'); yield 

will contain the trace 

{a,a[x I-)- n] Ret) (o"', ct'[2; i-^ n']) 
for every a and a' . The different positions of the marker Ret correspond to different junction 
points for any commands to be executed next. 

If the meaning of C contains u((T„, o"(^ Ret)ti' and the meaning of D contains {(t'^,(t")v, 
then the meaning of C;D contains u{an,cr")w, where w is a shuffle of u' and v. Notice that 
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the marker from u{an, cr'n Ret)n' disappears in this combination. The marker in ii((Tn, 
if present, comes from (cr^, (j'^v. An analogous combination apphes when the meaning of C 
contains u{an,cr'^ Ret)n' and the meaning of D contains {a'^,a" Ret)z; (a trace that starts 
with a transition with a marker). Moreover, if the meaning of C contains a trace without 
any occurrence of the marker Ret, then this trace is also in the meaning of C; -D: the absence 
of a marker makes it impossible to combine this trace with traces from D. 

An additional marker, "Done", ends traces that represent complete normally terminat- 
ing executions. Thus, the meaning of skip will consist of the empty sequence e and every 
sequence of the form (a, a Ret) plus every sequence of the form {a, a Ret)Done. Contrast 
this with the meaning of yield; block given above. 

It is possible for a trace to contain a Ret marker but not a Done marker. Thus, the 
meaning of async (block) will contain the empty sequence e plus every sequence of the 
form ((7,(7 Ret), but not {a, a Ret)Done. 

More elaborately, the meaning of the code of Figure [2] will contain all traces of the form 

{a,a[l]){a[l],a[0]){a[0],a [2] Ret)Done 

where we write a[n] as an abbreviation for a[x i— )• n]. These traces model normal termination 
after taking the true branch of the conditional if x = then x := 2 else block. The 
meaning will also contain all prefixes of those traces, which model partial executions — 
including those that take the false branch of the conditional and terminate abnormally. 

The two markers are somewhat similar. However, note that (a, a' Ret) is a prefix of 
((7,(7' Ret)Done, but {cr,cr') is not a prefix of {a, a' Ret). Such differences are essential. 

4.2. Transitions and Transition Sequences. A plain transition is a pair of stores {a, a'). 
A return transition is a pair of stores {a, a' Ret) in which the second is adorned with the 
marker Ret. A transition is a plain transition or a return transition. 

A main-thread transition sequence (hereunder simply: transition sequence) is a finite 
(possibly empty) sequence, beginning with a sequence of transitions, of which at most one 
(not necessarily the last) is a return transition, and optionally followed by the marker Done 
if one of the transitions is a return transition. We write TSeq for the set of transition 
sequences. 

A pure transition sequence is a finite sequence of plain transitions, possibly followed by 
a marker Done. Note that such a sequence need not be a transition sequence. It is proper if 
it is not equal to Done. We write PSeq for the set of pure transition sequences, and PPSeq 
for the subset of the proper ones. 

We use the following notation: 

• We typically let u, v, and w range over transition sequences or pure transition sequences, 
and let t range over non-empty ones. 

• We write u <p v for the prefix relation between sequences u and v (for both kinds of 
sequences, pure or not). For example, as mentioned above, we have that {a, a' Ret) <p 
{cr,a' Ret)Done, but {a,a')^p{a,a' Ret). 

• A set P is prefix-closed if whenever u <p v & P then u & P. We write PJ, for the least 
prefix-closed set that contains P. 

• For a non-empty sequence of transitions t, we write fst(t) for the first store of the first 
transition of t. 

• For a transition sequence u, we write for the pure transition sequence obtained by 
cleaning u, which means removing the Ret marker, if present, from u. 
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• We let r range over stores and stores with return markers. 
4.3. Interpretation of Commands. 

Preliminaries. We let Proc be the collection of the non-empty prefix-closed sets of transi- 
tion sequences, and let Pool be the collection of the non-empty prefix-closed sets of pure 
transition sequences. Under the subset partial ordering, Proc and Pool are both w-cpos 
(i.e., partial orders with sups of increasing sequences) with least element {e}. We interpret 
commands as elements of Proc. We use Pool as an auxiliary w-cpo; below it also serves for 
the semantics of thread pools. We also let AProc be the sub-w-cpo of Pool of all non-empty 
prefix-closed sets of proper pure transition sequences. We think of such sets as modeling 
asynchronous threads, spawned by an active thread; the difference from Pool is that the 
latter also contains an element that models the empty thread pool. 
We define a continuous cleaning function 



(Continuous functions are those preserving all sups of increasing sequences.) 

We define the set u\>^v of shuffles of a pure transition sequence u with a sequence v, 
whether a transition sequence or a pure transition sequence, as follows: 

• If neither finishes with Done, their set of shuffles is defined as usual for finite sequences. 

• If 'u does not finish with Done, then a shuffle of u and v Done is a shuffle of u and v. 
Similarly, if v does not finish with Done, then a shuffle of uDone and v is a shuffle of u 



• A shuffle of u Done and v Done is a shuffle of u and v followed by Done. 

If both u and v are pure transition sequences then so is every element of ?/ [xi t;; if u is a 
pure transition sequence and v is & transition sequence, then every element of « ixi v is a 
transition sequence. 

Lemma 4.1. For any u,v, and w where either: 

• all three are pure transition sequences, or 

• u and V are pure transition sequences, and w is a transition sequence 
we have: 



—'^ : Proc -)■ AProc 



by: 



= {n'^ I G P) 



and V. 




□ 



We define a continuous composition function 
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[skip] = * 

{x := e] = {{a,a[x n] Ret)Done | a G Store, cT(e) = n}| 

lC;Dj = [Clop] 

[if b then C else D] = {t \ t e [CJ, non-empty, fst(t) (6) = true}! 

U{t\te [£>], non-empty, fst(t) (6) = false}| 

[while 6 do C] = Uj [(while b do C)J 

[asyncCl = async([C7f) 

[yieldl = d(*) 

[blockl = {£} 

Figure 5: Denotational semantics. 



We also define a continuous delay function 

d : Proc — )• Proc 

by: 

d(-P) = {icr,cr)u \ a eStoie,u e P}i 
Thus, d{P) is P preceded by all possible stutters (plus e). Similarly, we define a continuous 
function 

async : AProc Proc 

by: 

async((5) = {(o", cr Ret)ti | a G Store, n G 
Thus, for P G Proc, async(P'^) differs from d(P) only in the placement of the marker Ret. 

4.3.1. Interpretation. The denotational semantics 

[•] : Com — > Proc 

maps a command to a non-empty prefix-closed set of transition sequences. We define it in 
Figure \E\ There, the interpretation of loops relies on the following approximations: 

(while b do C)o = block 

(while b do C)j+i = if 6 then (C; (while b do C)i) else skip 

The 0-th approximant corresponds to divergence, which here we identify with blocking. 
We straightforwardly extend the semantics to contexts, so that 

[C] : Proc Proc 

is a continuous function on Proc. This function is defined by induction on the form of C, 
with the usual clauses of the definition of [•] plus [[ ]](-P) = P. 

Proposition 4.2. [C[C]1 = [C1([CI). Therefore, if {Cj C {Dj then [C[C]I C [C[I?]]. □ 
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4.4. Interpretation of Thread Pools. As an auxiliary definition, it is important to have 
also an interpretation of thread pools as elements of Pool. We develop one in this section. 

4.4.1. Preliminaries. We define a continuous shuffle operation 

cx]:(Pool)^ Pool 

at this level by: 

u€P,v€Q 

The shuffle operation is commutative and associative, with unit / =dcf {e, Done}; associa- 
tivity follows from Lemma |4. 11 

We define the set of right shuffles u\>v of a pure transition sequence u with a transition 
sequence v by setting 

u [> {a, t)v = {{a, t)w \ w (z utxi v} 

and 

u\> e = {e} 

We then define 

async : Pool x Proc — > Proc 

by: 

async(P, Q) = u> v 

ueP,veQ 

The use of the notation async for both a unary and a binary operation is a slight abuse, 
though in line with the algebraic theory of effects: see the discussion in Section [6l In this 
regard note the equality async(P) o Q = async(P, Q) (and the equality fyield] o P = d{P) 
points to the corresponding relationship between d and [yield]). 

4.4.2. Interpretation. We define the semantics of thread pools by: 

[Ci, . . . ,CJ = [Cif M . . . M ICnf (n > 0) 

intending that |e] = /. For any thread pool T, Done G [T] iff T = e (because, for all C, 
Done ^ {Cf and, for ah P and Q, / C P [x Q iff / C P and I <^ Q). Further, we set 
[T,Cl=async([rl,[Cl). 

Lemma 4.3. For all P,Q Pool and R € Proc we have: 

(1) async(P ixi Q, i?) = async(P, async((5, R)) 

(2) async (/,i?) = R 

Proof. For the first part, one shows for all pure transition sequences u and v and transition 
sequences w that: 

v' > w \v' ^ ut<iv} = \^{u \> v' \v' ^ V \> w} 
To this end, one proceeds by cases on w, using Lemma l4.ll The second part is obvious. □ 
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4.5. Equivalences. An attractive application of denotational semantics is in proving equiv- 
alences and implementation relations between commands. Such denotational proofs tend to 
be simple calculations. Via adequacy and full-abstraction results (of the kind established 
in Section [5]), one then obtains operational results that would typically be much harder to 
obtain directly by operational arguments. 

As an example, we note that we have the following equivalence: 

lasync (C; yield; = [(async (C; async {D))j 

This equivalence follows from three facts: 

• We have: 

[yield; = [async (Z))r 

= {(fT,o-)n^ I cr G Store, n € [-D]}!; 

. whenever {Dif = [Z^af, lC;D^f = [C;I)2r; 

. whenever {D.f = [Z^af, [async {D,)} = [async (Ds)!- 

This particular equivalence is interesting for two reasons: 

• It models an implementation strategy (in use in AME) where, when executing C; yield; D, 
the yield causes a new asynchronous thread for D to be added to the thread pool. 

• It illustrates one possible, significant pitfall in more explicit semantics. As discussed 
above, such a semantics might detail that a particular step in a computation causes the 
spawning of a thread. More specifically, it might extend transitions with an extra trace 
component: a triple {a, u, r) might represent a step from o" to r that spawns a thread that 
contains the trace u. With such a semantics, the meanings of async (C; yield;!)) and 
async (C; async (D)) would be different, since they have different spawning behavior. 

Many other useful equivalences hold. For instance, we have: 

[x := n; x := n'| = {x := n'| 

trivially. For every C, we also have: 

[async (C);x := nj = [x := n; async (C)] 

and, for every C and D, we have: 

[async (C); async {D)j = [async (D); async (C)] 

Another important equivalence is: 

[while (0 = 0) do skip] = fblockl 

Thus, the semantics does not distinguish an infinite loop which never yields from immediate 
blocking. On the other hand, we have: 

[while (0 = 0) do yield] / [block] 

The command while (0 = 0) do yield generates unbounded sequences of stutters (cr, o"). 
Similarly, we have: 

[yield; yield] / [yield] 

Alternative semantics that would distinguish while (0 = 0) do skip from block or that 
would identify while (0 = 0) do yield with block and yield; yield with yield are 
viable, however. We briefiy discuss those variants and others in Section [71 

We leave as subjects for further research the problems of axiomatizing and of deciding 
equivalence and implementation relations, and the related problem of program verification, 
perhaps restricted to subsets of the language — even, for example, to the subset with just 
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composition, spawning, and yielding. There is a large literature on axiomatization and 
decidability in concurrency theory; see, e.g., [AI07] for discussion and further references. 
Also, recent results on the automatic verification of asynchronous programs appear rather 
encouraging jJMOTl [GMR09| : some of their ideas might be applicable in our setting. 

4.6. Two Extensions. Trace-based semantics can also be given for variants and enhance- 
ments of our basic imperative language. Here we illustrate this point by considering two 
such enhancements, which illustrate the use of Ret and Done. Section [7] briefly considers 
other possible language features. 

4.6.1. finish. While cleaning maps a transition sequence sequence to a proper pure tran- 
sition sequence, a marking function maps a proper pure transition sequence to a transition 
sequence. For a proper pure transition sequence u, we define by: 

v{a,a')Done^ = f (o", u' Ret) Done 

v"^ = V {ii V does not contain Done) 

Thus, u"^ includes a marker Ret only if u contains a marker Done (that is, if u corresponds 
to a terminating execution); the marker Ret is on the last transition of u"^, intuitively 
indicating that control is returned to the sequential context when execution terminates. 

Much as for cleaning, we extend marking to non-empty prefix-closed sets of proper pure 
transition sequences: 

-'":AProc Proc 

Using this extension, we can define the meaning of a construct finish, inspired by that of 
the XIO language [CGSMl [SJ05] . We set: 

[finish CI = iicrr 

The intent is that finish C executes C and returns control when all activities spawned 
by C terminate. For instance, in finish (async (x := 0));x := 1, the assignment x := 1 
will execute only after x := is done. In contrast, in async (x := 0); x := 1, the assignments 
have the opposite ordering. However, finish (async (x := 0)) is not equivalent to x := 0, 
but rather to yield; x := 0. Beyond this simple example, finish can be applied to more 
complex commands, possibly with nested forks, and ensures that all the activities forked 
terminate before returning control. 

4.6.2. Parallel Composition. The definition of parallel composition relies on familiar themes: 
the use of shuffling, and the decomposition of parallel composition into two cases. The cases 
correspond to whether the left or the right argument of parallel composition takes the first 
step. 

We define parallel composition at the level of transition sequences by letting u j | n' and 
u II; n' be the least sets that satisfy prefix-closure and the following clauses: 

• w ^ {e \ \ w) and w G {w \ \ e), 

• it\\it')^it' \\ii)^it\\t'), 

• if V G {w \\ t'), then {a,a')v G {a,a')w ||; t' , 

• if f € w CXI then (a, r)u G (o", fi' Ret)w ||; {a' ,t)w' . 
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Extending this function to 

— II — :Proc X Proc — )• Proc 
we can define the meaning of a parallel-composition construct: 

IC\\D} = IC}\\ID} 

The reader may verify that parallel composition, as defined here, has the expected prop- 
erties, for instance that it is commutative and associative with unit skip. It is also worth 
noting that (under mild assumptions on the available expressions) the binary nondetermin- 
istic choice operator U considered in Section [6. II is definable from parallel composition. The 
converse also holds, under restricted circumstances: if all occurrences of yield in C and D 
occur inside an async then we have: 

lC\\Dj = lC;D}UlD;Cj 



5. Adequacy and Full Abstraction 

In this section we establish that the denotational semantics of Section |4] coincides with 
the operational semantics of Section [31 and is fully abstract. 

The adequacy theorem (Theorem 15. lOp . which expresses the coincidence, says that the 
traces that the denotational semantics predicts are exactly those that can happen opera- 
tionally. These traces may in general represent the behavior of a command in a context. As 
a special case, the adequacy theorem applies to runs, which are essentially traces that the 
command can produce on its own, i.e., with an empty context. This special case is spelled 
out in Corollary 15.111 which states that the runs that the denotational semantics predicts 
are exactly those that can happen operationally 

The full-abstraction theorem (Theorem 15. 15p states that two commands C and D have 
the same set of traces denotationally if, and only if, they produce the same runs in combi- 
nation with every context. In particular, observing runs, we cannot distinguish C and D 
in any context. Note that, given Corollarv 15.111 we may equivalently speak of runs deno- 
tationally or operationally. We comment on other possible notions of observation, and the 
corresponding full-abstraction results, below. 

Section 15.11 defines runs precisely. Sections 15.21 and 15.31 present our adequacy and full- 
abstraction results, respectively. 

5.1. Runs. A pure transition sequence generates a run if, however it can be written as 
u(a,a'){a" ,a"')v, we have a' = a". U w = (cJi, (T2) . . . (cr„_i, 0"^) is such a pure transi- 
tion sequence, we set run(w) = ai . . . an and run(t(;Done) = cJi . . . fj^Done. A transition 
sequence u generates a run if does, and then we set run(M) = icun{u^). 

If a pure transition sequence u generates a run, then it can be easily be recovered from 
run(u): the run g\. . . cr„ maps back to 

((Tl,(T2) . . . ((T„_l, cr„) 

and the run a\. . . (T„Done maps back to 

[01,02) ■ ■ ■ (o-„-i,crrt)Done 
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Since each non-empty run contains at least two elements, this definition applies when n = 
and n > 2. We write runs(P) for the set of runs generated by (pure) transition sequences 
in P. 

5.2. Adequacy. 

Lemma 5.1. The following equalities hold: 

(1) [block]! = [block] 

(2) [skip; CI = [CI 

(3) [f [async D]\ = async([i?f , [f[skip]I) 

(4) [^[yield]r = async([^[skip]r, [skirf)^ 

(5) For allT ^ e (equivalently Done \T\), 

|r] = |J{[r'.r", cf\T = t'.c.t"} 

Proof. The first part is immediate from the semantics of block and the definition of com- 
position. The second part holds as * is a unit for composition. The third part follows from 
the facts that async(P) o Q = async(P, Q) and that composition is associative with unit *. 

For the fourth part, using the third part one sees that it is enough to show that for 
every £ we have: 

[^[yield]f = [async ^[skip]f 
As composition is associative with unit *, this is equivalent to showing that, for every C we 
have: 

[yield; Cr = async([Cr)'= 
which follows immediately, expanding the definitions. The proof of the fifth part is a 
straightforward verification. □ 

Lemma 5.2. If C is blocked then, for all T, [T, C] = {e}. 

Proof. We calculate: 

[r,^[block]l = async([rl,[£:[block]l) 

= async([r], [block]) (by Lemma [5T]) 

= {4 

□ 

Lemma 5.3. [T, skip] = {{a,a Ret)v \ v £ [r]}|. 

Proof. Immediate from the definition of async. □ 

The next lemma applies when C is neither skip nor blocked. 
Lemma 5.4. Suppose that {a,T,C) — >a {(t',T',C'). Then, for any a", {a,a")v € lT,Cf 

Proof. We divide into cases according to the form of C. In the case where C has the 
form £^[skip;Z?] we have a' = a, T' = T and C = £[D]. So, by Lemma 15. H we have 
IT', C'j = [T, C], and we are done. 
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In the case where C instead has the form £^[async D], we have a' = a, T' = T.D and 
C = iS[skip] and we calculate: 

lT',c'j = [r.z),£:[skip]i 

= async([rl,async(pr,I^[skip]l)) 

= |r,£'[async £»]] (by Lemma EI]) 

= IT, CI 

and we are done. 

In the case where C instead has the form £'[yield], we have a' = a, T' = T.£'[skip], 
C = skip and, again using Lemma |5.H we calculate: 

lT',cr = ir.£:[skip],skipr 

= async([r], async([f [skip]f , [skipl))^ 
= [r,f[yield]r 

= iT,cr 

and we are done. 

In the next case, C has the form £[x := e], and we have a' = a[x ^(c)], T' = T and 
C = £:[skip]. Here [T, CJ = |T,x := e;.?[skip]]. So we have that: {a,T)v G |T, C] holds 
iff (^7',r)Glr,f[skip]I 

Otherwise, C has one of the forms £[if b then C else D] or £^ [while b do C] and 
we proceed much as in the previous case. □ 

Lemma 5.5. Suppose that {a, T, C) — >a* some {a', T' , skip) with u G Then {a, a')u € 

[r,cr. 

Proof. This follows from Lemmas 15.31 and 15. 4[ □ 

For the proof of the converse of this lemma, we proceed by an induction on the size of 
loop- free commands. We then extend to general commands by expressing their semantics 
in terms of the semantics of their approximations by loop-free commands. The size of a 
loop-free command is defined by structural recursion: 

|skip| = |block| = 1 |j; := e| = jasync C\ = jyieldj = 2 

|if b then C else D\ = \C;D\ = \C\ + \D\ 

Note that if (cr, T, C) — )-a(o'', T', C) and C is loop-free, then so is C and, further, \C'\ < \C\. 

The approximation relation C ^ D between loop-free commands C and general com- 
mands D is defined to be the least such relation closed under all non-looping program 
constructs and such that, for any b, C, D, and i > 0: 

C <D 

block ■< D ^, ~ , ; 

(while b do C)i < (while b do D) 

This relation is extended to thread pools and contexts in the obvious way: we write T <T' 
and C <C' for these extensions. 

Lemma 5.6. Suppose that T ^ U , C ^ D , and, further, that {a,T,C) — >a {(^' ,T' ,C') . 
Then, for some U' , D' with T' r< U' and C ^ D' , {a, U, D) — >a* (o"', U' , D'). 

Proof. One first notes that, for any C, D, if if [C] ■< D then D has the form £'[D'] where 
E < E' and C < D' . The proof then divides into cases according to the rule used to show 
that (a,r,C) {a',T',C'). 
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For example, suppose we have C = b then Ci else C2] and (j{h) = true. We 

know that D must have the form 8'[D'] where £ ^ 8' and (if b then Ci else C2) ^ D' . 
Suppose now that D' has the form while b do D" . Then we must have, for some i > 
that Ci = C"; (while b do C")i where C" < D" . But then we observe that 

{a,U,D) ^a{(y,U,£'[±f b then D"-D' else skip]) — >a {t,U,£'[D";D]) 

and the conclusion follows. The other cases are straightforward. □ 

Next we define the approximants C^*-* of a command C by induction on i and structural 
recursion on C, beginning with the case where C has one of the forms skip, block, x := e, 
or yield, when C*-*^ = C, and continuing with: 

(async C)(*) = async C« 
(if b then C else D)W = if 5 then C^^) else 
((7;D)W = CW;^^ 
(while b do C)(*) = (while b do C(*))i 

For any C one shows that C'^^ ^ C(*+i) r< C. 
Lemma 5.7. 

(1) IfC^D then |C7] C p]. 

(2) For any command D: 

iD\ = 

i 

Proof. The first part is evident using the monotonicity of the semantics of the program con- 
structors and the semantic of loops. For the second part, we proceed by structural induction 
on D. All cases are straightforward, using the continuity of the program constructors, except 
for loops where we calculate: 

[while b do D\ = |J- [(while b do 

= uKwuiie b do mm) 

= UKwhile b do IMmDi^i) 
= Ui[(while b do 

= UKwhile b do Z))W] □ 

We can now establish the converse of Lemma 15. 5i 

Lemma 5.8. Suppose that {a,a')u G [T, C]*^. Then {a,T,C) — >a* (o"', T', skip) for some 
T' with u e |r'f . 

Proof. We begin by proving this for loop-free commands C. The proof is by induction 
on the size of C. If C is skip we have (cr, T, skip) — >a* (C; T, skip) and the conclusion 
follows, as, by Lemma [531 io',a')u € [T, skip]'^ iff a' = o" and u G {T}'^. If C is blocked, 
the conclusion holds trivially, by Lemma 15.21 

If C is neither skip nor blocked we have {cr,T,C) — >a {o'" ,T" ,C") (and then C" is 
loop-free and \C"\ < \C\). Then, by LemmaEl {a,a')u G [T, Cf iff {a",a')u G [r",C"f 
which latter, by the induction hypothesis, implies {a" ,T" ,C") — >a* some (a', T', skip) 
with u G {T'Y which, in turn, implies {a, T, C) — >a* some {a\ T' , skip) with u G [T"]'^, as 
desired. 

Next suppose that {a,a')u G |r, D]'^, where now D is not loop-free. By Lemma 15.71 
{a,a')u G |T, C]'^ for some C ^ D. So, by the above, {a,T,C) — >a* some (a', T', skip) 
with u G [T']'^. The desired conclusion follows immediately, using Lemma |5.6[ □ 
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Lemma 5.9. 

(1) For any proper non-empty pure transition sequence u, (a,a')u € [T, C]'^ iff for some 
T',C', {a,T,C) ^c{a',T\C') with u G {T'^Cf- 

(2) For any a, a', T, C, (a,a')Done G [T, Cf iff {a,T,C) -^a* (a', e, skip). 

Proof By Lemma EHl {a,a')u G |r,Cf holds iff {a,T,C) — >a* some (cr', T', skip) does, 
witfi u G {T'J. In tfie case wliere u is proper tfie conclusion follows from Lemma l5. 11 In the 
case where u is Done we see from the definition of |T'] that Done G |T'] iff T' = e. □ 

The following Adequacy Theorem for pure transition sequences is an immediate conse- 
quence of Lemmas 15.81 and 15. 9t 

Theorem 5.10. 

(1) For n > 0, (cri, cr^) . . . (c7„, cr^) G [T,C]'^ iff there are Ti,Ci, (i = l,n) such that 
Ti = T, Ci = C, and {ai,Ti,Ci) — >a* — >c{cri,Ti+i,Ci+i) , for I < i < n - 1, and 
(cr„,r„,C„) — >a* some {a'^,T' , skip) . 

(2) For n > 0, (a i, a[) ... {an, cr'^)^ one G [T, C]'^ iff there are Ti,Ci, (i = l,n) such that 
Ti = T, Ci = C, and {ai,Ti,Ci) — >a* — ^c(cri, 7i+i, Q+i), for I < i < n - I, and 

{an,Tn,Cn) > a* {c^n, e , skip) . □ 

As a corollary we obtain an adequacy theorem for runs: 
Corollary 5.11. 

(1) For n > 2, ai . . . (t„ G runs(|T, CJ) iff there are Ti,Ci, (i = l,n — 1) such that 
Ti = T, Ci = C, {ai,Ti,Ci) — >a* — >c{cri+i,Ti+i,Ci+i) (I < i < n - 2), and 
(cr„,_i,r„_i,C„_i) — >a* some (c7„, T', skip). 

(2) For n > 2, (Ji . . . cr^Done G runs(|T, CJ) iff there are Ti,Ci, (i = l,n — 1) such that 
Ti = T, Ci = C, and {ai,Ti,Ci) — >a* — >c{cri+iTi^i,Ci+i) (I < i < n - 2), and 
(cr„,_i,r„_i,C„_i) — >a* (o-„,e, skip). □ 

5.3. Full Abstraction. The first lemma in the proof of full abstraction bounds the non- 
determinism of commands in semantic terms. 

Lemma 5.12. For all C , u, and a, the set {r | u{a,T) G |C|} is finite. 

Proof. More generally, we prove that for all T, C, u = (ai, ti) . . . (o"„_i, t„_i), and cj„, the 
set {r I u{an,T) G [T, C]} is finite, and similarly that the set {r | u{an,T) G [T]} is finite. 
The proof is by induction on n. The proof relies on adequacy; a purely semantic proof 
might be possible but seems harder. 

• If C is skip, then Lemma [5^ implies that ri is cJi Ret, and (c72,r2) . . . (<Tn,T) G [Ti]. In 
case n = 1, we are done, with a unique choice for ri. Otherwise, we conclude by induction 
hypothesis. 

• if C is blocked, then n = 0, by Lemma 15.21 so this case is vacuous. 

• If C is neither skip nor blocked, then Lemma 15.81 implies that ti is unique. In case 
n = 1, we are done, with a unique choice for ri. Otherwise, Lemma 15.81 also implies that 
(c2,T2) . . . (cTnjT) G |T'] for a unique T'. As in the case of skip, the desired conclusion 
follows by induction hypothesis. 
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• Finally, having established the claim for sequences of length n for sets of the form [T, C], 
we consider sequences of length n in a set of the form [TJ. Suppose that T consists 
of Ci , . . . , Cfc . A transition sequence v in [T] is a shuffle of transition sequences in 
|Ci],. . . ,[Cfc], each of length at most n. The finiteness property for [T] follows from the 
fact that there are only finitely many possible ways of decomposing u as a shuffle. □ 

Intuitively, Lemma [5.12l is useful because it implies that, at any point, there are certain 
steps that a command cannot take, and in proofs those steps can be used as unambiguous, 
visible markers of activity by the context. This lemma is somewhat fragile — it does not 
hold once one adds to the language either the nondeterministic choice operator considered 
in Section [6. II or the parallel composition operator of Section [4.6.21 It follows that neither of 
these operators is definable in the language. An alternative argument that does not use the 
lemma relies on fresh variables instead. The fresh variables permit an alternative definition 
of the desired markers. 

Full-abstraction results invariably require some notion of observation. Let us write 
obs(P) for the observations that we make on P € Proc. Equational full abstraction is 
that |C1 = {Dj if and only if, for every context C, we have obs(|C[C]]) = obs(|C[D]l). 
In other words, two commands have the same meaning if and only if they yield the same 
observations in every context of the language. The stronger inequational full abstraction 
is that [C] C {Dj if and only if, for every context C, we have obs(|C[C]|) C obs(|C[D]l). 
The difficult part of this equivalence is usually the implication from right to left: that if, 
for every context C, obs([C[(7]]) C obs(|C [£>]]), then {Cj C {Dj. 

One possible candidate for obs(P) is P^. This notion of observation can be criticized 
as too fine-grained. Nevertheless, we find it useful to prove full abstraction for this notion 
of observation, with the following lemma. We first need some auxiliary definitions for its 
proof, and the lemma that follows. Given two stores a and a' , we define: 

• a boolean expression check((T) as the conjunction of the formulas x = n for every variable 
X, where n is the natural number (t{x) (so check((T) is true in a and false elsewhere); 

• a command goto((T) as the sequence of assignments x := n for every variable x, where n 
is the natural number a{x); 

• a command {a ~^ a') as if check((T) then goto(c7') else block; 

• a command {a a' a") as (cr ~^ a'); yield; (a' ^ a"); yield. 

These definitions exploit the fact that the set of variables is finite. However, with more care, 
analogous definitions could be given otherwise, by focusing on the set of variables relevant 
to the programs under observation. 

Lemma 5.13. If lC[C]f C lC[D]f for every context C, then {Cj C {Dj. 

Proof. Letting P = |C] and Q = we assume that P ^ Q and prove that there exists C 
such that IC](P)'^ ^ |C]((5)'^. For this, choose a sequence w in P but not in Q. If w = w'^, 
then we can take C to be [ ]. Therefore, for the rest of the proof, we consider the case 
w 7^ w^. 

li w ^ w'^, then w is of the form u{a, a' Ret)t;. We let C = [ ]; (o"' ~^ a") where a" does 
not appear in u or u and u{a,a") Q (so, by prefix-closure, u{a,a")v Q). Such a choice 
of a" is always possible by Lemma [5.121 Thus, |C](P) contains u{a,a" Ret)w, and |C](P)'^ 
contains u{a,a")v. 

Suppose that u{a,a")v is also in [CKQ)"^, and that this is because some sequence w' is 
in |C](Q) and w"^ = u{a, a")v. By the definition of the semantics of sequential composition, 
this could arise in one of the following ways: 
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• w' = u{a,a" Ret)f, with w Q. This contradicts w ^ Q. 

• w' = u'{a,a")v' , and a" occurs as the second store of a return transition in either u' or 
v' . This contradicts the requirement that a" does not appear in u or v. 

• w' = u{a,a")v, w' € Q, and w' does not have a return transition. This contradicts the 
requirement that u{a,a") ^ Q. □ 

Another possible candidate for obs(-P) is runs(P). Runs record more than mere input- 
output behavior, but much less than entire execution histories. We therefore find them 
attractive for our purposes. The following lemma connects runs to cleaning. 

Lemma 5.14. // runs(|C[C]I) C runs(|C[D]]) for every context C, then |Cf C {Df. 

Proof. Letting P = |C] and Q = we assume that P'^ % and prove that there exists 
C such that runs(|(:](P)) ^ runs(IC](Q)). 

For this, choose a sequence w G P^ but w Q^, in order to derive a contradiction. 

First, suppose that w is of the form {ai,a[) . . . ((T„,(t(j), with n > 0. We let C be 
async [ ];mesh(t(;), where mesh(?i;) is the command 

yield; {a[ a'l ^73); . . . ; «_i o-„); {a'^ a'^) 

where the stores a'^' are all different from one another and from all other stores in w, and 
are such that 

(ai,al)...(a„aO(^>f)0Q^ 

and 

iai,a[) . . . {ai-ua'i_^){a'/_^,ai){ai,a'^){a'i,a'^) Q" 
Such a choice of stores a" is always possible by Lemma 15.121 Since |mesh(?i;)] contains the 
transition sequence: 

{(Ji,cJi){a[,a'(){a'(,(T2) . . . (cr^_i, o-„)(<t^, cr^ Ret)Done 
we obtain that [C](P) contains the transition sequence: 

{ai,ai){ai,a[){a[,a'l){a'l,a2){a2,a'2) ■ ■ ■ cr„)((Tn, < Ret) 

which generates the run: 

iTifTi(T'iO-'/fT2fT2 . . . (^n~l(^n(^Wn 

Suppose that this run is also in runs([C]((5))- Therefore, there exists w' € Q"^ such that 

{ai,a[){a[,a'(){a'(,a2){a2,a2) . . . a„)(cr„, fT^)((T^, ct") 

is a shuffle of w' with 

{a[,a'l){a'l,a2) . . . f7n)(o-;, ODone 

which we call w" , or with a prefix of w" . We analyze the origin of the transitions in the 
shuffle: 

• The transitions {ai,a^) must all come from w' , since each of the transitions in w" contains 
one of the stores a" and, by choice, these are different from cij and a'^. 

• Suppose that, up to some i — 1 < n, w' starts like w, in other words it starts as 
{ai,a'i) . . . {ai-i,a'j^_i). Suppose further that, in the shuffle up to this point, each tran- 
sition {aj,aj) is followed immediately by the corresponding transitions {a'j,a'- ){a'- ,aj-i^i) 
from w" . We argue that this remains the case up to n. 
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— We consider {(t[_i^ a'l_i) ^ the next possible transition in the shuffle. This transition 
cannot come from w' because, by the choice of o"''_^, we have that 

(0-1,0-i) ... (f7i_l,CTi_i)(cT-_i,<_i) Q"" 

So this transition comes from w" . 

— One step further, in order to derive a contradiction, we suppose that the transition 
(ff.ijCTj) comes from w' . So w' starts: 

(cTl,CTi) . . . (cri_i,C7'_i)(fT-'_i,0-i) 

and in fact: 

((71,0-;) ... (a^_l,f7^_l)(crf_i,f7i)(o-i,f70 

since, as noted above, the last transition here must come from w' . The next transition 
in the shuffle is {a[,a'l). By the choice of uf, we have that 

((Ti,(t'i) . . . {ai-i,a[_^){(j'l_^,ai){ai,a[){a[,cj'l) 

So the transition {a[,a'[) cannot come from w' . Therefore, it must come from w" . 
However, the next available transition in w" is {a'l_i,ai), and {a[,a'l) and (ct"_]^, iTj) 
must be different because cj'l_i and a'l are different, by choice, from a[ and cxj. 
Thus, the assumption that the transition fij) comes from w' leads to a contra- 

diction. This transition must come from w" . 
• Finally, suppose that, up to n, w' starts like w, in other words as: 

(ai,(Ti) . . . (<T„,CJ^) 

and that, in the shuffle, each transition {aj,aj) is followed immediately by the corre- 
sponding transitions {aj,a"){aj ,aj+i) from w" . By the choice of a'^, we have that 

{ai,a[)...{an,(7'J{a'^,a'^) ^ Q" 
so {a'n,a") comes from w" , not from w' . 
In sum, w' = w, and therefore w € Q^, contradicting our assumption that w Q'^. 

Next, suppose that w is of the form {ai,a[) . . . {an,cr'^) Done. With the same C, we 
obtain that |C](P) contains the transition sequence: 

(cri,cri)(cri,a'i)(cr;,cr")«,o-2)(<72,4) ■ ■ • (K-i^ <^n)(.o-n, a'^ia'^, a'^ Ret)Done 
which generates the run: 

(TiiJia'iai(T2CT'2 ■ ■ ■ <T^_iCT„(T^(T^Done 

Suppose that this run is also in runs(|C]((5)). Again, by the choice of fi", . . . , fi", this 
can be the case only if w is in Q'^. (The argument for the contradiction may actually be 
simplified in this case, because of the marker Done.) □ 

We obtain the following Full- abstraction Theorem: 

Theorem 5.15. {C} C {D} iff, for every context C, runs([C[C]l) C runs([C [£>]]). 

Proof. The implication from C |D] is an immediate consequence of the compositionality 
of the semantics (Proposition 14.21) . The converse follows from Lemmas 15.131 and 15.141 □ 
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Coarser-grained definitions of obs(P) may sometimes be appropriate. For those, we 
expect tliat full abstraction will typically require additional closure conditions on P, such 
as closure under suitable forms of stuttering and mumbling, much as in our work and 
Brookes's on parallel composition |AP93l lBro96] . 

6. Algebra 

The development of the denotational semantics in Section H] is ad hoc, in that the 
semantics is not related to any systematic approach. In this section we show how it fits in 
with the algebraic theory of effects |PPn2[ IPPOSI IHPPOBl IPPnSI [PPHQ] . 

In the functional programming approach to imperative languages, commands have unit 
type, 1. Then, taking the monadic point of view [BH M02] . they are modeled as elements of 
T(l) for a suitable monad T on, say, the category of w-cpos and continuous functions. For 
parallelism one might look for something along the lines of the resumptions monad jHP79l 
[CM931EPP06]. 

In the algebraic approach to computational effects |PP021 IHPP06) . one analyses the 
monads as free algebra monads for a suitable equational or Lawvere theory L (here mean- 
ing in the enriched sense, so that inequations are allowed, as are families of operations 
continuously parameterized over an u-cpo). The operations of the theory (for example a 
binary choice operation in the case of nondeterminism) are thought of as effect constructors 
in that they create the effects at hand. 

As discussed in [ HP79j , resumptions are generally not fully abstract when their domain 
equation is solved in a category of epos. If, instead, it is solved in a category of semilattices, 
increased abstraction may be obtained. The situation was analyzed from the algebraic point 
of view in [ HPP06] . It was shown there that resumptions arise by combining a theory for 
stores |PP02] with one for nondeterminism, one for nontermination, and one for a unary 
operation d thought of as suspending computation. The difference between solving the 
equation in a category of semilattices or epos essentially amounts to whether or not one 
asks that d, and the other operations, commute with nondeterminism. 

In |Bro96] . Brookes, using an apparently different and mathematically elementary trace- 
based approach, succeeded in giving a fully abstract semantics for a language of the kind 
considered in [HP 79]. However, in [Jef95j , Jeffrey showed that trace-based models of con- 
current languages can arise as solutions to domain equations in a category of semilattices, 
thereby relating the two approaches. 

We propose here to identify the suspension operation d with the operation of the same 
name introduced in Section 14. 3t indeed this identification was the origin of the definition of 
yield given there, and it is natural to further identify yield as the generic effect |PP03j cor- 
responding to the suspension operation. These identifications are justified by Corollary 16. 5^ 
below, and the discussion following it. 

In Section 16.11 we carry out an algebraic analysis of resumptions. We show in The- 
orem 16.11 that, imposing the commutations with nondeterminism just discussed, they do 
indeed correspond to a traces model, provided one uses the Hoare or lower powerdomain. 
(This powerdomain is a natural choice as we consider only "may" semantics in this paper, 
and elements of such powerdomains are Scott closed, so downwards-closed, a natural gen- 
eralization of our prefix-closedness condition.) The proof makes the link between domain 
equations and traces. 
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The missing ingredient in an algebraic analysis of Proc is then an account of async. In 
the denotational semantics of any command of the form async C, all Ret marking is lost 
from the meaning of C, because of the application of the cleaning function, further all the 
sequences in {CY are proper. We propose to treat async as a generic effect, parameterized 
by an element of AProc (which will be |C]'^). 

In order to give the equations for the async operation it will, as one may expect, be useful 
to first have an algebraic analysis of AProc; we carry out this analysis in Section 16.21 It 
turns out, as detailed in Theorem l6.2l that AProc is similar to, but not quite, a resumptions 
w-cpo. Finally, we analyze processes in Section [6.31 showing, in Theorem 16. 4| that a process 
is a kind of "double-thread" — more precisely, a resumption that returns not only a value 
but also an element of AProc. 

6.1. Resumptions. Our theory Lrgs for resumptions follows |HPP06| but is somewhat 
modified, as we are interested only in "may" semantics and as we wish to allow infinitely 
proceeding processes. The theory is a combination of several constituent theories which we 
now consider successively. 

The Lawvere theory Ls of stores can be presented via a family of unary operations 
update^, „ and a family of "N-ary" operations lookup^ (x G Vars, n G N). (An N-ary 
operation is a countably infinitary operation whose arguments are indexed by the natural 
numbers.) For any computation 7, update^ ^(7) is read as the computation that first 
updates x to n and then proceeds as 7; for any N-indexed collection (7n)n of computations, 
lookup2.((7„)„) is read as the computation that proceeds as 7„ if x has value n in the current 
store. 

The Lawvere theory Lh for nondeterminism is that of the lower (aka Hoare) powerdo- 
main, presented using a binary nondeterministic choice operation U; the Lawvere theory 
Lfi for nontermination is the theory of a least element, presented using a constant fi; and 
the Lawvere theory for suspension is that of a unary operation d, with no equations. 
See |PP021 IHPP06) for more details of these theories, including an account of the equations 
for stores and for Hoare powerdomains. 

For resumptions, continuing to follow |HPP06j . we wish the operations of Ls to commute 
with those of Lh and Lq (which automatically commute with each other) and it is also 
natural to have d commute with nondeterministic choice, but not with the operations of 
Lg, as we wish to model interruption points, and not with fi, as we want to be able to 
model infinitely proceeding processes. We therefore define: 

Lrgs = Lh (8) ((Ls «) Ln) + La) 

and let Tj^es be the associated monad. (For any two theories L and L' presented using 
disjoint signatures, the theories L + L' and L L' can be presented using the union of the 
signatures of L and L' and, in the former case, by the union of their equations and, in the 
latter case, by the union of their equations together with additional equations that say that 
each operation of each theory commutes with each operation of the other.) 

We now give an elementary trace-based picture of TRes(-P) for sufficiently general cj- 
cpos P. Let Q be a partial order. A Q-transition is a pair of states {a, a' x) in which the 
second is marked with an element x of Q; we let r range over stores and stores marked with 
an element of Q. A basic Q-transition sequence is a non-empty sequence consisting of plain 
transitions optionally followed by a Q-transition. Let <q be the least preorder on the set 
of basic Q-transition sequences which contains the prefix relation <p and is such that, for 
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any x, y in Q, il x < y then u{a, u'x) <q u{a, cr'y). One has that <q is a partial order and 
that u <Q V holds iff: 

either u <p v 

or else 3w, x < y. u <p w{a, a'x) Av = w{a, a'y) 

We need a few notions concerning ideals in partial orders. An ideal / in a partial order 
Q is a downwards-closed subset of Q; for any subset X of Q we write X], for the least 
ideal including X, viz {x E Q \ 3y E X. x < y}; and for any x E Q we write x^. for {x}].. 
Downwards-closed sets, i.e., ideals, provide a suitable generalization of prefix-closed sets 
when passing from sequences to general partial orders. 

An ideal I is directed if it is nonempty and any two elements of the ideal have an upper 
bound in the ideal. An ideal is denumerahly generated if J = X\, for some denumerable 
X C I. We write Iuj{Q), respectively X^{Q), for the collection of all denumerably generated 
directed ideals of Q, respectively all denumerably generated ideals of Q, and we partially 
order them by subset; is an w-cpo, indeed it is the free such over Q\ and X^{Q) is 

the free w-cpo with all finite sups over Q: it follows that it is also the free such w-cpo over 

tI{q). 

Let Q-BTrans be the set of basic Q-transition sequences, partially ordered as above. One 
can view 2^^((5-BTrans) as an LRes-model with the following definitions of the operations, 
where now we use I to range over Vars: 

(updatei „)2;^(g_B'Pj.g^j^g)(/) = {{(t,t)u \ {a[l ^ n],r)n G /} 

(lookup;)^_^(Q.BTrans)((-^n)'^) = Un{(^' ^ I f^(0 = n} 

-^Ux„(Q-BTVans) = ^ ^ 

^i<,(Q-BTrans) = ^ 

di^(Q-BTrans)(-^) = {(^' \ e Store, u G /} U {{a, a)\a G Store} 

(We skip over the small difference between the notion of an LRes-model and of an algebra 
satisfying equations.) 

We write wCpo and coSL for, respectively, the category of w-cpos and the category of 
w-cpos with all finite sups. For any poset P, its lifting Pi is the poset obtained from P 
by freely adjoining a least element _L; its elements are {0,x), for x G P, and _L, and they 
are ordered in the evident way. If P has all sups of increasing w-chains, i.e., is an w-cpo 
(respectively has finite sups), so does P±. For any object a of any given category, and any 
set X, we write X a and a^ for, respectively, the X-fold sum and product of a with 
itself, assuming they exist. The category a;SL has countable biproducts, given by the usual 
cartesian product of posets, and it is convenient to identify X ® L with L^, for countable 
sets X. 

The next theorem shows that the algebraic notion of resumptions can indeed be char- 
acterized in trace-based terms, specifically as ideals of basic Q-transition sequences. 

Theorem 6.1. Viewed as an Ljies-model, X^(Q-BTrans) is Trcs(2^((5))- The unit 

(^TaeJit(Q):Xt(Q) ^X,(Q-BTVans) 

is given by: 

('?rRes)xt(Q)W = {(^'^ x)\aG Store, a; G /} 
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and, for any continuous f ■.Zu}{Q) — )• X^(i?-BTrans), its Kleisli extension 

:Z^(g-BTrans) ^ Z^(i?-BTrans) 

is given by: 

/t(/) = {u{a, t)v I 3a', x. u{a, a' x) £ I, {a', t)v G 
L) {u £ I \ u has no Q-transition} 

Proof. Models of Lr es in cijCpo correspond to models of Lg in wSL together with a morphism 
d' : L± — )• L, where L is the carrier of the model. (Such morphisms are equivalent to w- 
continuous maps on L which preserve binary sups, but not necessarily ±.) The carrier L 
of the model of Lrgs is that of the model of Ls in <^SL; it is necessarily an w-cpo with all 
finite lubs. The Ls operations on L become those of the model of Ls in uSL, and the map 
d : -L — 7> L extends uniquely to a morphism on L±, obtaining the required map d'. This 
correspondence extends straightforwardly to an equivalence of categories. 

So, as 1i_j{Q) is the free w-cpo with finite sups over the w-cpo zl,{Q), we seek the free 
structure 

(L, (update; (lookup, ) l, di) 
over Z^{Q), consisting of a model (L, (update, (lookup,)/,) of Ls in ujSL and a morphism 
d':L±^L. 

By Theorem 1 of |PP02| the free algebra monad for Lg over ujSL is T5 = (5 (8) — )'^, 
where we abbreviate Store to S (the theorem depends on the set of variables being finite). 
The definitions of the operations (update,^„)Tg(/,) and {lookupi)Tg(L) of an algebra Ts{L) are 
given by Proposition 1 of |PP02| : the unit (7?Ts)l at L is the canonical map L — > {S ®L)^ . 

So, by Corollary 2 of |HPP06] . for any poset Q, L is the solution of the following 
"domain equation" in uSL: 

L^{S^{L^+IJQ))f (6.1) 

by which we mean the initial w-cpo with finite sups L and map 

a:{S0{L^+IJQ))f 

(Such a map is necessarily an isomorphism.) 
The morphism (update,^^)^ :L — )• L is 

L y Ts{L± +IUQ)) > Ts{L±+I^{Q)) -> L 

the morphism (lookup,)L : — > L is 

the morphism d^ : L± L is 

and at 2^{Q) the unit ??Tros 

Now, since countable copowers and powers coincide in wSL, Equation (16. ip can be rewritten 

L^S0{S®iL^+I^{Q))) (6.2) 



L- ^ TsiL^+lMf ^"""'^-"-^"""^ Ts(L, +Z.(Q)) A L 



L^ ^ L^ +X.(g) ^'"^^'^""""'^") rs(L^ +T.(Q)) ^ L 



as: 
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As : Pos bj'SL is a left adjoint, where Pos is the category of posets, it preserves ah 
cohmits; also commutes with lifting. So there is an isomorphism: 

/3 X (5 X {R^ + Q))) ^ S ® {S ® {IJR)± + IJQ))) 

for any poset R. So, again using that preserves all colimits, we can solve Equation (j6.2p 
by first solving the equation: 

R^S x{S X {R± + Q)) 

in the category Pos, and then applying X^^. To do that, one takes R to be the least set such 
that 

R = Sx{Sx iR± + Q)) 
and then imposes the evident inductively defined partial order on it. The solution of Equa- 
tion ()6.2p is then given by taking L = Iuj{R) and a = f3~^. 

We now have an expression of L as Iuj{R), as well as definitions of (update; 
(lookup;)L, di, and the unit. So, given the initial discussion above, we see that L forms the 
free model of Lres over I^j{R) with unit: 

(f?Res)2:t(^)(/) = {(o-, (cr,inr(x))) \ x e 1} 

and with operations: 

(update;_„)L(/) = {{a, {a',u)) \ {a[l ^ n], {a',u)) € 1} 
(lookup,)L((I„)„) = {{a, {a', u)) G | n G N, a{l) = n} 
IUlJ = I^J 

=0 

MI) = {(^, inl(0, u))) I (7 G 5, n G 1} U {{a, [a, ±)) 1 a G S}) 

There is an evident isomorphism of partial orders 0Res : R — Q-BTrans, given recursively 
by: 

eRes((cT,((T',inl((0,n))))) = {a,a')9nUu) 

^Res((^,(a',inl(±)))) = (a, a') 

6'ros((o-, ('7',inr(x)))) = {a, a'x) 
This induces an isomorphism X^(i?) = X^ (Q-BTrans) of w-cpos, and so the free such model 
is also carried by X^((5-BTrans). Using this, and the above definitions of the operations 
and unit for I^{R), one then verifies that the operations and unit for Xj^(Q-BTrans) are as 
required. 

As regards the formula for the Kleisli extension, that (f?rRcs )xi' ^g-) = / is evident and 
that the purported extension is a morphism of models of L^es is a calculation. □ 

One can go further and obtain a closely related, if less elementary, picture of rRes(-P) for 
an arbitrary w-cpo P: one needs a notion of ideal that takes the cj-sups of P into account. 



6.2. Asynchronous Processes. One might hope that AProc can be understood as an 
w-cpo of resumptions, and, indeed, basic {Done}-transition sequences and proper pure non- 
empty transition sequences are very similar. Define a map ^AProc '■ {Done}-BTrans — )• PPSeq 
by: 

^'aptoc (1^(0", 0"' Done)) = u{a,a')Done 

0APTociu) = u (if u does not contain Done) 

Unfortunately, while ^AProc is a monotonic bijection, it is not an isomorphism of partial 
orders, as u{a,a') <p u{a,a')Done but ti((T, (T')^{Done}^('7, c' Done). 
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There is a related programming language phenomenon. Denotationally, we have the 
inclusion: 

|(async (yield; block)); C] C [(async skip);C] 
but not the inclusion: 

[yield; block] C [skip] 
As in the proof of the full-abstraction theorem, one can distinguish [yield; block] from 
[skip] using a sequential context; however, this context is not available when the command 
is within an async. 

To solve this difficulty we take the theory of asynchronous threads I/AProc to be L^es 
extended by a new constant halt and the equation: 

d{n) < halt 

We can turn AProc into a model of LAProc by defining operations as follows: 

(updatc^ „)AProc(^) = {{cr,cr')u \ ^ n],a')u £ P} U {s} 

(lookup;)AProc((-Pn)n) = Un{('7>0-')« ^ I O"(0 = n} U {s} 
P UAProc Q = PUQ 
AProc = {s} 

dAProc(^) = {(o-, o-)ii I o- £ Store, n G P} U {e} 
halt AProc = {(cr, (T)Done | a € Store jj. 

Note that haltAProc = [skip]'^. 

We write TAProc for the monad associated to the theory AProc. The next theorem 
shows that the variant theory I/AProc indeed captures AProc. First we need some notation. 

• We define a unary derived operation ai^jn,k-i for ^ ^ Vars and m,n E Value by: 

ai,m,k{^) =def lookup;((t^')^') 

where: 

^ J update; fc(x) (if m' = m) 
im' -def <y ^ (otherwise) 

• We define a unary derived operation a^r^cri , for cr, a' G Store by: 

aa,a'{x) =dei ai^,a{h),a'ih){- ■ ■ (^l„,a{l„),a'iln)ix) ■ ■ 
where /i, . . . , is an enumeration of Vars. 

• For every sequence of plain transitions u = {ai,a[) . . . {an, cr'^) we define a unary derived 
operation by: 

auix) =def a^i,a[{d{. . . aa„,a'„{d{x)) . . .)) 

• For every sequence of plain transitions u and a, a' G Store, we define two constants u and 
u{a, (T')Done by: 

u =dcf a?i(^) and u{a,a')Done =def au(halt) 
Note that UAProc = ^^^^(Q) = u where, for example, UAProc is the interpretation of u in 
AProc; further u{a, (T')Done^p^Qp = u{a, a"')Done ^. Below we may confuse a constant or 
operation with its interpretation in a specific algebra A, e.g., writing u or a„ rather than 
UA or {au)A, provided that the intended algebra can be understood from the context. 

Theorem 6.2. AProc is the initial LxY>voc-fnodel, i.e., it is rAProc(O). 
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Proof. We begin by examining the connection between Z^{{Done}) and AProc. By The- 
orem 16.11 Z^({Done}) is the free model of L^es over {Done}. So / : {Done} AProc 
has a unique extension to a morphism : Z^({Done}) — )• AProc of LRes-™odels, where 
/(Done) =def halt AProc- We now show that: 

f\l) = {OAProciu) I n e /} i 

from which it follows that p is onto. It is enough to show that f^{u J,) = 0AProc(^) ii which 
holds as, for any u not containing Done, we calculate that 

Piu i) = /^(u)l^({Done})) = (^^) AProc = U i= 9aPioc{u) i 

and that 

P {u{a, a' Done) i) = f'' {{au)x^({Donc}){v(Done))) = (a^,)AProc(/'^(f?(Done))) 
= (a«) AProc (halt AProc) = ti((T, fj') Done | 

= 6'AProc(^i(o-,o-' Done)) i 

where, in both cases, the second equality holds as is a morphism of LRes-models. 

Let L be a model of LAProc- We have to show there is a unique morphism h : AProc — > L. 
For uniqueness, let h, h' be such morphisms. Then both f'^ oh and f"^ o h' are morphisms of 
Lrss models from Ij^({Done}) to L, extending the map Done i— >• halt^. So, as there is only 
one such map, p o h = f'^ o h', and therefore, as is onto, h = h', as required. 

For existence, define the map ^:PPSeq — > L by: 6{u) = {a^)]^. Using the fact that L is 
a model of AProc, particularly the axiom (1{Q) < halt, one has that 9 is monotonic. One 
can then define a continuous map /i: AProc — )• L by: 

h{I) = V 9{u) 

u€l 

with the sup on the right existing as / is denumerable. Let g be the unique morphism of 
Lftes models from ^^({Done}) to L, extending the map Done i->- halt^. 

We have that ho = g, as, for any u not containing Done, we may calculate that: 

KfHu I)) = h{u I) = 9{u) = au = g{au) = g{u) 

and that 

/i(/"l'(n((T, cr' Done) 4,)) = /i(a„(halt)) = /i(u((T, (T')Done J,) 

= 6l(n(o-,o-')Done) = a„(^_^/)Done 
= a„(^,^,)(halt) = 5r(a„(^,^,)(r/(Done))) 
= 5(n(o", o"' Done)) 

As /lo/t = g, and f'^ and g are morphisms of L^es models, and is onto, h is automatically 
a morphism of L-^^s models. For example, for the preservation of d, given / G AProc, choose 
J € T^({Done}) such that f\J) = I and calculate that: 

/i(dAProc(/)) = /j(dAProc(/^(J))) 

= ^(/^(dl„({Done})(^))) = 5(dj^({Done})(^)) 

= dMJ)) = dLiHfKm 

Further, h preserves halt as /i(haltAProc) = ^(haltAProc) = halt/,. We therefore have that h 
is a morphism of LAProc-models, which concludes the proof. □ 
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One can go on and obtain a general view of the monad Taptoc using a suitable notion of 
(proper) pure Q-transition sequences. However we omit the details as they are not needed 
for an account of processes. 

There is another possible proof of Theorem 16.21 along the lines of that of Theorem 16.11 
First one notes that to have a model of Laptoc in wCpo is to have a model of Ls in wSL, 
with carrier L, say, together with a morphism d : L± — )• L and an element halt G L such 
that d{Q) < halt. It is not hard to see that to have such a morphism and element is to have 
a morphism (L + X^(1))_l — )• L, where 1 is the one-point partial order. 

One then sees that the carrier of the initial such model is given by the solution of the 
domain equation: 

L^{S^{L + lM)±f 
and that that can be solved by first solving the corresponding equation 

R^S x{S X {R+l)±) 

in Pos and then setting L = I^{R). The rest of the proof proceeds as expected. 

Equally, there should be an elementary proof of Theorem 16.11 which, like that of The- 
orem 16.21 makes use of definability. The more conceptual proofs have the advantage of 
showing, via domain equations, the origins of the two kinds of transition sequences and 
their ordering. 

6.3. Processes. We turn to our algebraic account of Proc. The signature of our theory 
of processes, -Lpj-oo is that for .t/Res together with two families of unary operation symbols 
asyncp and yield_top, where P is in AProc. The first of these corresponds to the function 
of the same name defined above, but restricted to asynchronous threads. The second corre- 
sponds to a slightly different version of async in which the first action is that of the thread 
spun off, rather than that of the active command. We often find it convenient to write 
asyncpt and yield_topt as, respectively, P t>t and P <\t, thinking of them as right and left 
shuffles. 

We begin with a theory Lspawn for async and yield_to which involves the other opera- 
tions. The first group of equations for Lspawn concerns commutation with U: 

{PU AProc P')t>X = {P>X)U{P'>X) 

P\> (xUy) = {P\>x)U {P>y) 

iPUAProcP')<X = (P<X)U(P'<X) 

P <}{xUy) = {P <\ x) U (P < y) 

The second group of equations concerns the interaction of async with the other opera- 
tions of Lproc (except for <): 

P > update; „(a;) = update^ „(P > x) 

P > lookup;((Xn)n) = lookup i {{P \> Xn)n) 

p>n = n 

P > d(x) = d(P IX] x) 

P [> (P' [> X) = (P M P') > X 

where we write P cxi x for the "left action" (P > x) U (P < x). The first three state that 
P > — commutes with another operation; the next concerns the interaction of async with 
suspension and brings in yield_to; the last reduces two occurrences of async to one. The 
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third, and last, group of equations is for the interaction of yield_to with the other operations 
of Lap roc- 

(update; „)AProc(-P) < X = update^ < x) 

(lookup;)AProc((-Pn)n) < X = lookuPi((f„ < 
^AProc < X = fl 

dAProcli^) < a; = diPtxix) 
haltAProc < X = d{x) 
The first three assert that — <\ x acts homomorphically with respect to an operation; the 
next concerns the interaction with suspension; and the last concerns what happens when 
asynchronous threads halt. Finally we add an inequation: 

f^AProc > X <x 

We take the equations of Lproc to be those of Lspawnj i-e., the equations are the ones 
just given for async and yield_to, together with those of Lrss- One would naturally have 
expected Lproc also to have an equation with left-hand side P \> {P' <\ x); indeed, we could 
have added the equation: 

P > (P' < X) = P' <] (P M x) 

However this equation is redundant as it can be proved from the others using the algebraic 
induction principle of "Computational Induction" described in |PP08j . (One proceeds by 
such an induction on P', with a subinduction on P.) The inequation is somewhat inelegant: 
a possible improvement would be to use Pool instead rather than restricting to asynchronous 
threads. This would give the possibility of a version of halt, to denote Done J,, such that 
the equations 

halt [> X = halt <l x = x 
held, making the inequation redundant. 

Let Tproc be the monad associated to the theory Proc. We now aim to give a picture 
of Tproc(Xj(Q)) like that we gave of TRes(Zli(Q))- Take the partial order Q- Trans of the 
Q-transition sequences to be that of the basic {Q x PSeq)-transition sequences. Note that 
one can regard Q-transition sequences as elements of a kind of "double thread" in which 
the first thread returns a value together with a second (asynchronous) thread. 

We show that Q-Proc =def X(^(Q-Trans) carries the free model of Lproc on I^{Q). We 
view Q-Pvoc as a LRes-model as in Section [6711 In order to give async and yield_to, we first 
mutually recursively define the incomplete right and left shuffles u[> v and u<iv in Q-Proc 
of a proper pure transition sequence u with a Q-transition sequence v, by: 

u\> {a,a'{x,u')) = {{a,a'{x,w)) \ w G ufxiu'} i 

u > (fj, a')v = {(fj, a')w \ w G utx\v} I {v ^ e) 

where, for any pure transition sequence w, w~ is w less any occurrence of Done, and writing 
1X1 v for the incomplete shuffles {u <\v) U {u\> v) of u and v, and: 

e <\v =0 
{a,a')Done<\v = {{a,a')v} X 
{a,a')u<\v = {{a,a')'w \ w G utx\v} I 

where, in the last line, u is required to be proper. (Recall that an incomplete shuffle of two 
sequences is a shuffle of two of their prefixes, equivalently a prefix of a shuffle of them.) 
Both > and < are monotonic operations. 
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Then, for P G AProc and / € Q-Proc, we put: 

(asyncproc)pU) = [j u>v 
ueP,vei 

(yield_topj.oc)p(-^) = U u <\v U {u^ \ u G P,u ^ s} 

u£P,v€l 

If / is not empty we have: 

(yield_toproc)p(-f) = U « <1 ^ 

With these additional operations, Q-Proc is a model of Lproc- 

In the following we make use of the notation introduced in Section [6. 2[ 

Lemma 6.3. For any proper pure transition sequence u, the equation u], <\ = is 
provable in Lproc- 

Proof. The proof is by induction on the length of u. In the case where n = e, we have 
u\,= l^AProc, and in the equational theory we have Oapi-oc <1 = fi, as required. 

In the case where u = [a, a'), we have ul= ao-,o-' (dOAProc), and in the equational theory, 
we have: 

(dr^ AProc) < ^ = a^,a' (dr^AProc < ^) 

= a<T,<T' (d(^^ AProc < f^) U d(ri AProc > ^)) 

In the case where u = (cr, cj')Done, we have u \,= Co-.^' (halt), and in the equational 
theory, we have: 

ao-^o-/(halt) < J7 = ao-,(j' (halt < Jl) 

Finally, in the case where u = (cr, cf')v^ with v a proper pure transition sequence, we 
have u]^= Oo-.o-' (d(v J,)), and in the equational theory, we have: 

a^,^/(d(ui)) <\VL = a^,^/(d(ui) < Vl) 

= a^^„,{d{{vi)<^)Ud{{vi)>n)) 
= a,,,.(d((H)<f^)) 

= Qa,a'(d(^~)) 

= 

using the induction hypothesis in the next-to-last step. □ 

Our main algebraic theorem characterizes free models of a natural equational theory 
for resumptions with thread-spawning in terms of a kind of double-thread. 

Theorem 6.4. Viewed as an Lpj-oc-model, X^((5-Trans) is the free model over ZI{Q). The 
unit (r/Tp,„J2:t(Q) :Zli(Q) X^(Q-Trans) is given by: 

(^Tp,oJ4(Q)(/) = {(o",o- (x,Done)) [ x € /} i 

and, for any continuous f:I^{Q) — )• X^(i?-Trans), its Kleisli extension 

:X^(Q -Trans) I^{R-Tra.ns) 
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is given by: 

f\l) = {u{a^T)v I 3o-',x. u{a,a' (x,Done)) G /, 

ia',T)vefixl)} 
U{u{a,T)v I 3(t',x,w 7^ Done. u{a,a' {x,w)) G /, 

{a',T)v ew it>f{xi)} 
U {u e I \ u has no {Q x PSeq) transition} 

Proof. To show that (Q- Trans) is the free algebra over I^{Q) with unit as above, we 
must show that for any Lproc-model A and any continuous function f:il{Q) — >■ A there is 
a unique morphism h:I^{Q-TraxLs) ^ ^ of models of Lproc such that the following diagram 
commutes: 



X^(Q-IVans) 




We begin by showing uniqueness. To that end, fix A and /, and let /i be a morphism such 
that the diagram commutes. Define g:I^{Q x PSeq) — > A by putting: 



g{{x,u)i) 



f{xl) (if u = Done) 

^4- ^Afi^i) (otherwise) 
This is a good definition, with monotonicity being established using the inequation for >. 



We have f = ga and {r]Tp 



Res;xi;((5x 



defined by setting a{xl.) = (a;,Done)|. 

We then have that the following diagram commutes: 

lliQ X PSeq) 



('7TReJxi(QxPSeq) 



Z^((Q X PSeq)-BTrans) 
as we may we calculate, for u = Done, that: 



PSeq)*^ where a:I^{Q) I^iQ x PSeq) is 




and, for u ^ Done, that: 

^((^TaeJit(Q^PSeq)((aJ,«) D) 



= h{{{a,a{x,u)) \ a € Store} 4-) 

= h{u I [>{(cr, (j(.T, Done)) | a G Store} 4-) 

= /i.(n;i>(7/Tp,oJ2;t(Q)(a;i)) 

= ui>Ahi{rjTp,J^t^Q^{x i)) 

= ui >Afix i) 
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This is enough to show uniqueness, as if h{r]Tp^^J-j-r (^q^ = ^'(^Tproc)i^(Q) — fi 
such morphisms h and h\ then KVTncs)xl(QxPSeci) = ^'(^'?'Rcs)it(QxPSeq) = 3, and soh = h', 
as h and h' are morphisms of models of L^es (being morphisms of models of Lproc)- 

For existence we are again given A and / and wish to construct a suitable h. To 
that end, with g and a as before, take h to be the TRes-extension of g. Then we have 
^(^Tproc)xt(Q) = ^(^2R,cJ2:t(QxPSeq)" = 9^ = f and so it remains to prove that h preserves 
async and yield_to. 

As regards the preservation of async, since it is continuous, preserves U in each argu- 
ment, and is strict in its second argument, it suffices to establish preservation for individual 
transition sequences. That is, it suffices to show, for all proper pure transition sequences u 
and all v in Q-Trans, that: 

h{u \> v) = u \>A h{v) 
where here, and below, we omit writing, e.g., u and v rather than vi\ and v],. 

As regards the preservation of yield_to, since it is continuous and preserves U in each 
argument, it suffices to show, for all proper pure transition sequences u and all v in Q-Trans 
that: 

h{u <\v) = u <\a h{v) 

and: 

h{u <\n) = u <iA h{Q) 

For the last of these three equations, as h{Q) = il., using Lemma 16.31 we see that is 
enough to show that h{u~) = u~, and this holds as /i is a homomorphism of models of -Lrgs- 

The proof of the first two equations is a simultaneous induction on the sum of the 
lengths of u and v, invoking Lproc equations on A as necessary. We begin with the first 
equation. In the first case, we consider v = {a, a'). Here, on the one hand, we have: 

h{u \> (cr, a')) = h{{a, a')u~) = h{{a, a')u~) = {a, a')u~ 

using the fact that /i is a homomorphism for the last equality, and, on the other, we have: 

u\>Ah{{a,a')) = u \> A h{^cr,a' i'^^)) 

= U[>Aiaa,a'id^)) 

= a^y{u\>AdO.) 
= a^^a' (d(u >A ^) U d('U <\a ^)) 
= aCT,o-'(d(^ )) (by Lemma lO]) 
= (cr, a')u^ 

For the next case we consider v = {a,a' {x,u')). Here, on the one hand we have: 
h{u>v) = h{{{a,(T'{x,u"))\u" ^u\x\u'}) 
= U„"ewM(^,^'(x,^"))) 

= U«"e«Mn' «'^,'^'(^((??TR,cJjt(QxPScq)(^'^"))) 
= Un"G«Mn' <^o,a' {u" >A f {x)) 

= a„,a'{{u^u')>A f{x)) 
and, on the other hand, we have: 

u>Ah{v) = n >A /i(a<7,<7'((^TR,Jjt(QxPScq)(^'^' ))) 

= a,,,/(n >A ^((^TR,J4(Q^pseq)(a;,^'))) 
= a„^„i{u>A{u' >A f{x))) 
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For the last case for the first equation we have v = {a,a')v', with v' in Q-Trans, and we 
calculate: 

h{u \> {a,a')v') = a^y {h{u [> d{v'))) = aayih{d{u[>v'\Ju<iv'))) 

= Ui^y {d{h{u > v') U h{u <i v'))) = a„y{d{u\>Ah{v')Uu<\Ah{v'))) 
= acry{u\>A{d{h{v')))) = u>Aa„y{d{h{v'))) 

= u\>A h{{a,a')v') 

applying the induction hypothesis in the second line. 

Turning to the second equation, the first case we consider is where u = e, and we have: 

h{s <iv) = h{D, <iv) = h{^l) = Q = ft <iA h{v) = e <]a h{v) 

The second case is where u = (a, a')T>one and we have: 

h{{a, a' )Done <\v) = h{{a,a')v) = af^y{d{hv)) 

= a^^yihalt <\a h{v)) = a^y{h.alt)<\Ah{v) 
= {a, (T')Done <\a h{v) 

The last case is where u = {a, cr')u' , with u' a proper pure transition sequence, and we have: 

h{{a,a')u' <iv) = h{aay {d{u')) < v) = h{af^y {d{u' fxi v))) 
= a^^y {d{h{u' \x v))) = ao-,0-' (d(ii' ixi^ 
= a^y{d(u')) <Ah{v) = {a,(T')u' <iAh(v) 

applying the induction hypothesis to obtain the fourth equality. 

Finally, the formula for the Kleisli extension follows from the construction of h, using 
the Kleisli formula of Theorem 16.11 □ 

As in the case of resumptions, one can go further and obtain a closely related, if less 
elementary, picture of Tproc(^') for arbitrary P. 

Note that the proof of Theorem 16.41 is elementary, making use of definability in a similar 
way to the proof of Theorem 16.21 However, unlike in the cases of Theorems 16.11 and 16. 2| 
we do not know any conceptual proof of Theorem 16.41 The difficulty is that the theory of 
processes Lproci particularly the part concerning < and [>, seems somewhat ad hoc, and is 
not built up in a standard way from simpler theories. There is surely more to be understood 
here. 

Nonetheless, with Theorem 16.41 available, we are in a position to give our algebraic 
account of Proc. There is ajii isomorpliisni ^Proc 

:(5-Trans TSeq\{e}, where Q = {Ret}, 
sending u = {ai,a[) . . . ((T„, (t(^) to itself and u{a, a' (Ret, v)) to u{a, a' Ret)t>. One then has 
an isomorphism of w-cpos Opmc ■ Iui{Q-T^ans) = Proc given by: 0proc(-^) = Gprocil) U {e}. 
It follows that Proc can be seen as the free model of Lproc over the terminal w-cpo {Ret}, 
as we now spell out. First, define the set of left shuffles u < f of a pure transition sequence 
u with a transition sequence v by setting 

e <}v = {e} 

and 

{a, a')u <v = {(fj, (t')w \w & u\x\v} 

Then, we have: 
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Corollary 6.5. Equip Proc with the following operations: 

(update^. „)proc(^') = {(o", t)u \ {a[x ^ n],T)u G P} U {e} 

(lookup^)proc((-Pn)n) = U„{(c^;'^)'" ^ P„ | Cr(x) = n} U {e} 
PUprocQ = PUQ 
^Proc = {s} 

dproc(P) = {(o-, (^)u I a e Store, n G P} U {e} 
P t>Proc Q = async(P, Q) 
P<PtocQ = U„eP,^eQ^^^ 
(where x ranges over Yars). 

Then 0proc : laj(Q-Trans) = Proc is an isomorphism of L-p^oc-i^odels, and Proc is the 
free model o/Lproc o^er {Ret}, with unit (??Proc){Rct} ^ {Rst} ^ Proc given by: 

(f?Proc){Ret}(R'et) = { (o", o" Ret) Done | a G Store} J, 
The Kleisli extension of a map /:{Ret} Proc is given by: 

/t(p) =Po/(Ret) 

Proof. The proof is a calculation using Theorem I6.4[ The following equations are useful: 

Oprociu >v) = {u[> 6'proc('y)) i 
Ovvoc{u <v) = {u<\ 6proc{v)) i 

where n is a proper pure transition sequence and f is a {Ret}-transition sequence. 

□ 

As we now see, the algebraic view also determines the semantics of our language. This 
achieves our aim of placing cooperative threads within the algebraic approach to effects, 
thereby justifying the previous, more ad hoc, account. 

First, we have that [skip] = (?7Proc){Ret}(R'et) and that P o Q = (Ret i-> Q)'^{P), so 
the Kleisli structure determines the semantics of skip and composition, just as one would 
expect from the monadic point of view. 

Next, the update and lookup operations, together with the assumed primitive natural 
number and boolean functions, determine the semantics of assignments, conditionals, and 
while loops. The operations are equivalent to two generic effects, of assignment and reading: 

:= : Vars x N ^ Proc ! : Vars rproc(N) 

One can use the reading generic effect to give the semantics of numerical expressions as 
elements of Tpi-oclN); with that, one can give the semantics of assignments, using the as- 
signment generic effect, standard monadic means, and ^proc- Similarly, one can use the 
reading generic effect to give the semantics of boolean expressions as elements of rproc(lB), 
where B =def {true, false}; with that one can give the semantics of conditionals and while 
loops, again using standard monadic means and ^proc (as well as least fixed-points for while 
loops). 

Continuing, the d operation is that of the algebra; and block is modeled by ilproc- Fi- 
nally, the semantics of spawning is determined by async together with the cleaning function 

— '^:Proc — > AProc 

It turns out that the latter is also determined by algebraic means. Specifically, one can 
regard AProc as a model of Lrgs as in Section 16.21 (so we ignore halt) and then extend it 
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to a model of Lproc as follows. First for any proper pure transition sequences u and v we 
define u [> v G AProc inductively on v by: 

u> e = {e} 

u>{a,a')Done = {{a,a')u} \, 

u \> (a, a')v = {{a, a')w \w^u\x\v}i 

where, in the last line, v is required to be proper. Then we put: 

(asyncAPi.oc)p(<3) = IJ u>v 
uGP,veQ 

and (yield_toApj.oc)p(Q) = (asyncAp;,o(,)Q(P). With these definitions, is the extension of 
the map Ret >->■ haltAProc to Proc. 

In the converse direction one can consider adding missing algebraic operations to the 
language, for example adding U and yield_to via constructs C or D and yield_to C. The 
latter construct is to the binary yield_to as async is to the binary async. It generalizes 
yield, which is equivalent to yield_to skip. Its operational semantics is given by the rule: 

(f7,r,^[yield_to C]) — > (a, r.£'[skip], C) 

One may debate the programming usefulness of such additional constructs, but they 
do allow one to express the equations used for the algebraic characterizations at the level 
of commands. For example, the equation P > d(x) = d(P ex] x) becomes: 

(async C); yield; D 

yield; ((async C);D or (yield_to C);D) 

6.4. Dendriform Algebras and Modules. We have found it useful to employ various 
forms of shuffle: sometimes we shuffle two things of the same kind with each other, e.g., two 
pure transition sequences with each other; and sometimes we shuffle two things of different 
kinds with each other, e.g., a pure transition sequence with a transition sequence. 

We have further found it useful to break down such shuffles into left and right shuffles, 
e.g., in the case of the left and right shuffles of asynchronous processes with processes; 
indeed we employ a uniform notation, writing <!,[>, and cxi for left shuffles, right shuffles, 
and (ordinary) shuffles, respectively. Our algebraic account of threads has further involved 
a number of equations concerning the interaction of these shuffle operations with each other 
and with other operations. 

Shuffle operations and their algebra have been studied in a variety of settings. In partic- 
ular, Loday's dendriform algebras [LodOU IFGOSj provide a wide-ranging general notion of 
left and right shuffling of two things of the same kind with each other. Foissy's dendriform 
yl-modules ^Foi07] provide the corresponding notion of action: left or right shuffling a thing 
of one kind with a thing of another kind. We next relate our treatment to these general 
concepts, thereby placing our various shuffle operations and our equations for them in a 
standard algebraic context. 

Let R he a given commutative semiring (with no requirement for a or a 1). Then 
a dendriform dialgebra is an i?-module A equipped with two binary bilinear operations < 
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and [> such that, for all x,y,z A: 

{x <\y) <\ z = X <\ {y t>< z) 
X \> {y > z) = {x tx\y) \> z 
{x \> y) <\ z = X \> (y <\ z) 

where x \xi y =def x <\ y + y > x; it is commutative ifx<\y = y\>x always holds. Then 
{A, ixi) is a semigroup in the category of -R-moduIes, equivalently tx] is an associative bilinear 
operation; it is commutative if the dialgebra is. 

Given a dendriform algebra A, a dendriform A-module is an i?-module M equipped 
with two binary bilinear operations <l, [> : ^ x M — )• M such that, for all a,h G A and 
x G M: 

{a <]h) <\x = a < (& M x) 
a\> {b\> x) = {a\xb)\> X 
{a>h) <x = a\> {h <]x) 
where \x: A y. M ^ M \s given by: at^x = a<\x + a\>x. Then ixj: A x M ^> M is a 
bilinear action of (^4, ixi) on M. 

In all our examples we take R to be the natural two-element semiring over B; join 
semilattices with a zero form B-modules (setting true a; = x and false x = 0). As a first 
example, consider the B-module of the collection of all languages, i.e., all sets of strings 
over a given alphabet, not containing e. This is a commutative dialgebra, taking <l to be 
the left shuffle operation, and t> to be the right one; ixi is then the usual shuffle operation. 

The semilattice of asynchronous processes AProc forms a commutative dendriform B- 
algebra, setting: 

P <lAProc Q = (yield_tOAPi.oc)p(Q) P I>AProc Q = (asyncAProc)p(<5) 

One then has that Q-Proc forms a dendriform AProc-module, setting: 

P <]Q-Proc I = (yield_tOproc)p(^) P >Q-Proc I = (asynCproc)p(^) 

It follows that Proc also forms a dendriform AProc-module, using the definitions of the left 
and right shuffling given in Corollary 16.51 

Algebraically, the first group of equations for Lspawn state the bilinearity of the two 
module operations. The second group contains the second of the three module equations. 
The equation 

a [> (6 < x) = 6 < (a cx] x) 
generalizing one considered above, holds in any module over a commutative dendriform 
algebra. To account for the other two module equations algebraically one would need an 
algebraic treatment of the dendriform algebra operations on AProc. These operations are 
effect deconstructors rather than effect constructors. An account of unary deconstructors 
has been given in [PP09j . but a satisfactory treatment of binary ones remains to be found; 
we therefore leave further algebraic treatment to future work. 

7. Conclusion 

A priori, the properties and the semantics of threads in general, and of cooperative 
threads in particular, may not appear obvious. In our opinion, a huge body of incorrect 
multithreaded software and a relatively small literature both support this point of view. 
With the belief that mathematical foundations could prove beneficial, the main technical 
goal of our work is to define and elucidate the semantics of threads. For instance, semantics 
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can serve for validating reasoning principles; our work is only a preliminary, but encouraging, 
step in this respect. 

Our initial motivation was partly practical — we wanted to understand and further the 
AME programming model and similar ones. We also saw an opportunity to leverage devel- 
opments in trace-based denotational semantics and in the algebraic theory of effects, and to 
extend their applicability to threads. As our results demonstrate, the convergence of these 
three lines of work proved interesting and fruitful. 

We focus on a particular small language with constructs for threads. Several possible 
extensions may be considered. These include constructs for parallel composition, nondeter- 
ministic choice, higher-order functions, and thread-joining. More speculatively, they also 
include generalized yields, of the kind that arise in the algebraic theory of effects, as dis- 
cussed in Section [6l Importantly, our monadic treatment of threads indicates how to add 
higher-order functions to the semantics. 

Our results mostly carry over to these extensions. In some cases, small changes or 
restrictions are required. In particular, the full-abstraction proof with nondeterministic 
choice would use fresh variables; the one for higher-order functions might require standard 
limitations on the order of functions, cf. [Jef95] . Thus, our approach seems to be robust, 
and indeed — as in the case of higher-order functions — helpful in accounting for a range 
of language features. Further, our algebraic analysis of the thread monad links it to the 
broader theme of the algebraic treatment of effects. In that regard, as the discussion after 
Theorem 16.41 indicates, there is clearly still further understanding to be gained. 

Another possible direction for further work is the exploration of alternative semantics. 
For instance, we could switch from the "may" semantics that we study to "must" seman- 
tics. We could also define alternative notions of observation. As suggested in Section 15. 3^ 
some of the coarser notions of observation might require closure conditions, such as closure 
under suitable forms of stuttering and under mumbling. These may correspond to suitable 
axioms on the suspension operator d, as alluded to in |Plo06] : we conjecture that stuttering 
corresponds to d(d(x)) < d(x) and that mumbling corresponds to d{x) > x. 

It would also be interesting to consider finer notions of observation that distinguish 
blocking from divergence. To this end we could add constructs such as orElse [H MP05] 
and, in the semantics, treat blocking as a kind of exception. Finally, we could revisit lower- 
level semantics with explicit optimistic concurrency and roll-backs, of the kind employed in 
the implementation of AME. 
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